Shell Knocker Server

Shell Knocker Server

Signs of Shell Knocker Server

  • The server is communicating in an unusual manner with an internal client on a port that has previously shown a stable pattern for requests and responses
  • The request received by the server and the response sent by it don’t conform to any of the previously observed patterns
  • The threat score is driven by either the duration of the connection between the client and the server; if the server returns a null response, the threat score is driven by the size of the client request
  • The certainty score is driven by the level of dissimilarity between normal patterns of communication and the flagged communication

Why Attackers Use Shell Knocker Server

  • The server has been compromised and the port has been hijacked to enable communication to the compromised part of the system without requiring a new port to be utilized for the communication
  • The client or the server has been recently upgraded and the pattern of use on the server port has changed
  • The client which triggered the detection has an unusual configuration in that it communicates with the port on this server in a manner unlike all the other observed communication on the port

Business Impact of a Shell Knocker Server

  • Port hijacking is a technique attackers use to enable communication to a compromised server without raising alarms which may go off when a new port is used on an existing server
  • Compromised servers are often more valuable than compromised laptops as they remain on the network at all times and are often located in the data center where most of an organization’s important data resides

How to Investigate Shell Knocker Servers

  1. See if the pattern of the flagged request and response represent acceptable deviations from the normal patterns or are significant departures such as binary data in an otherwise character-based protocol
  2. Inquire whether the software which emitted the request on the client has recently been updated as this may cause detections for a short period of time after the update
  3. Inquire whether the software on this server which responded to the request has recently been updated as this may cause detections for a short period of time after the update
  4. This type of backdoor is most likely to be in a kernel module, so produce a list of all installed kernel modules and verify against list of good known kernel modules
  5. If the changed pattern remains unexplained, boot the client and server using a known good image on a USB device, then mount the local drive and scan it for signs of compromise

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections